Maven Central Setup

[th5]

Hi, @hjwilli and @augustearth –

Please create accounts on the Sonatype JIRA and let me know what the usernames are. Then I'll open a ticket to add them to Carnival on Maven.
https://issues.sonatype.org/secure/Signup!default.jspa

We can also create a service account. It would need to have an email associated with it.

Below are some instructions for setting up your encryption keys. You can do this now or wait until later.

---

1. Install GnuPG

Install GnuPG. I mostly use it on the command line but there are also GUI frontends.
https://gnupg.org/download/index.html

On Windows, I suggest using WSL2. Something like sudo apt install gnupg
There is also a Windows distribtion.

On Mac, there is an installer. It's also available through MacPorts and Homebrew.

2. Generate a public and private key pair

On some distributions, the gpg command is installed as gpg2. Usually it's just gpg.

Once installed, gpg --full-generate-key This will take you through some questions to generate your public and private keys. The defaults are fine. The main thing you will set are your name and email address.

You can optionally set an expiration date for the keys. This can later be changed in the future.

You can also optionally set a password for the private key. If anyone has your private key file, they can act as you. This is just password protecting the file.

Your GPG configuration will now likely exist in ~/.gnupg

3. Upload public key to a public key server

We will now publish the public key you've create to an open server were public keys are shared. You will later be able to modify what's published if you have the private key.

gpg --list-signatures will print out the public keys you have. This may include public keys from third parties. The public key you just generated should be there. Here is the output on my computer:

$ gpg --list-signatures
/home/user3/.gnupg/pubring.kbx
------------------------------
pub   rsa2048 2019-08-23 [SC] [expired: 2021-08-22]
      AC874006BB29ECAA219B780F58DE4DA829F19184
uid           [ expired] Blue Jeans Network, Inc. <security@bluejeans.com>
sig 3        58DE4DA829F19184 2019-08-23  Blue Jeans Network, Inc. <security@bluejeans.com>

pub   rsa2048 2015-06-07 [SC]
      396060CADD8A75220BFCB369B903BF1861A7C71D
uid           [ unknown] Zoom Video Communcations, Inc. Linux Package Signing Key <linux-package-signing-key@zoom.us>
sig 3        B903BF1861A7C71D 2015-06-07  Zoom Video Communcations, Inc. Linux Package Signing Key <linux-package-signing-key@zoom.us>
sub   rsa2048 2015-06-07 [E]
sig          B903BF1861A7C71D 2015-06-07  Zoom Video Communcations, Inc. Linux Package Signing Key <linux-package-signing-key@zoom.us>

pub   rsa4096 2021-11-18 [SC]
      F3DC5FF017E972D00275EE1E0E58204A25EB7CBE
uid           [ultimate] Tom Hutchinson <tom.hutchinson@pennmedicine.upenn.edu>
sig 3        0E58204A25EB7CBE 2021-11-18  Tom Hutchinson <tom.hutchinson@pennmedicine.upenn.edu>
sub   rsa4096 2021-11-18 [E]
sig          0E58204A25EB7CBE 2021-11-18  Tom Hutchinson <tom.hutchinson@pennmedicine.upenn.edu>

We want the long ID on the entry with your name. For me that's F3DC5FF017E972D00275EE1E0E58204A25EB7CBE.

You can download my public key by: gpg --keyserver keys.openpgp.org --recv-keys F3DC5FF017E972D00275EE1E0E58204A25EB7CBE

To upload your public key: gpg --keyserver keys.openpgp.org --send-keys <your key id>

For me that was: gpg --keyserver keys.openpgp.org --send-keys F3DC5FF017E972D00275EE1E0E58204A25EB7CBE

4. Configure Carnival and push a snapshot build

I'll provide addition instructions on these steps.

The Gradle Signing plugin expects information about your keys to be passed in ```gradle.properties`` or as arguments to the gradle command. Does that work for us? I've been using gradle.properties but careful not to upload my settings to GitHub. Might not be ideal.

[hjwilli]

Hi @th5, thanks for these comprehensive instructions!

The Gradle Signing plugin expects information about your keys to be passed in ```gradle.properties`` or as arguments to the gradle command. Does that work for us? I've been using gradle.properties but careful not to upload my settings to GitHub. Might not be ideal.

I agree, that's not ideal! Looks like there are a few ways to pass properties to a gradle project.

The signing plugin documentation recommends putting these credentials in the gradle.properties file in your gradle user home directory. This works well when we are building directly with gradle and avoids the issue of potential github pollution, but wouldn't be visible to docker or our CI systems.

Properties can also be passed via environmental variables, which might be a better strategy when publishing with docker or our CI systems. This would require with slight change to the docker-compose files to pass the local environment variables through to the containers, and change the gradle command to pass the env vars with -P flags. After that, all a user would need to do is have the appropriate environment variables set.

[hjwilli]

Hi @th5 , I made pr #73 for these changes.